sprints work.

etc/appsettings.crypto.eu.yaml

@@ -60,16 +60,74 @@ StellaOps:
         # Enable algorithm downgrade warnings
         WarnOnWeakAlgorithms: true
 
+    # eIDAS Qualified Timestamping Configuration (QTS-001, QTS-004)
+    Timestamping:
+      # Default timestamp mode
+      DefaultMode: Standard  # Standard | Qualified | QualifiedLtv
+
+      # Qualified TSA Providers (EU Trust List validated)
+      Providers:
+        - Name: d-trust-qts
+          Url: https://qts.d-trust.net/tsp
+          Qualified: true
+          TrustListRef: eu-lotl
+          SignatureFormat: CadesT
+          HashAlgorithm: SHA256
+
+        - Name: a-trust-qts
+          Url: https://tsp.a-trust.at/tsp/tsp
+          Qualified: true
+          TrustListRef: eu-lotl
+          SignatureFormat: CadesT
+
+        - Name: infocert-qts
+          Url: https://timestamp.infocert.it/tsa
+          Qualified: true
+          TrustListRef: eu-lotl
+
+        # Non-qualified fallback (for non-EU deployments)
+        - Name: digicert
+          Url: http://timestamp.digicert.com
+          Qualified: false
+
+      # EU Trust List Configuration
+      TrustList:
+        # Online URL for EU List of Trusted Lists (LOTL)
+        LotlUrl: https://ec.europa.eu/tools/lotl/eu-lotl.xml
+
+        # Offline path for air-gapped environments (QTS-004 requirement)
+        OfflinePath: /app/data/trustlists/eu-lotl.xml
+
+        # Cache TTL in hours (refresh interval)
+        CacheTtlHours: 24
+
+        # Verify signature on trust list updates
+        VerifySignature: true
+
+        # Fallback to offline if online fetch fails
+        FallbackToOffline: true
+
+      # Policy Overrides - require qualified timestamps per environment/tag
+      Overrides:
+        - Match:
+            Environments:
+              - production
+              - staging
+          Mode: Qualified
+          TsaProvider: d-trust-qts
+          SignatureFormat: CadesT
+
+        - Match:
+            Tags:
+              - regulated
+              - eidas-required
+              - financial
+          Mode: QualifiedLtv
+          TsaProvider: d-trust-qts
+          SignatureFormat: CadesLT
+
 # eIDAS certificate requirements (for reference):
 # - Certificates must comply with ETSI EN 319 412-1 and 319 412-2
 # - Minimum key lengths: RSA 2048-bit, ECDSA P-256
 # - Qualified certificates require QSCD (e.g., smart card, HSM)
 # - Advanced Electronic Signatures (AdES): XAdES, PAdES, CAdES formats
-
-# Optional: Override default provider preferences
-#   Crypto:
-#     Registry:
-#       PreferredProviders:
-#         - "eidas.soft"
-#         - "default"
-#         - "libsodium"